CISA Certified Information Systems Auditor Questions and Answers

Haphazard sampling

Attribute sampling

Variable sampling

Quota sampling

No audit finding is recorded as it is normal to distribute a key of this nature in this manner

An audit finding is recorded as the key should be asymmetric and therefore changed

No audit finding is recorded as the key can only be used once

An audit finding is recorded as the key should be distributed in a secure manner

The organization may be more susceptible to cyber-attacks.

The organization may not be in compliance with licensing agreement.

System functionality may not meet business requirements.

The system may have version control issues.

A comprehensive asset inventory

A tested incident response plan

An approved patching policy

A robust tabletop exercise plan

Risk management strategy is approved by the audit committee

Risk evaluation is embedded in management processes.

Local managers are solely responsible for risk evaluation

IT risk management is separate from corporate risk management

Header record with timestamp

Record count

Control file

Secure File Transfer Protocol (SFTP)

Third-party cost

Incident priority rating

Data sensitivity

Audit approval

A heat map with the gaps and recommendations displayed in terms of risk

Available resources for the activities included in the action plan

Supporting evidence for the gaps and recommendations mentioned in the audit report

A management response in the final report with a committed implementation date

Potentially fraudulent invoice payments originating within the accounts payable department

Completion of inappropriate cross-border transmission of personally identifiable information (Pll)

Unauthorized salary or benefit changes to the payroll system generated by authorized users

Issues resulting from an unsecured application automatically uploading transactions to the general ledger

Equipment incompatibilities

National privacy laws

Political unrest

Software piracy laws

Dynamic application security testing tools

Security business impact analysis (BIA)

Checks of dependencies between code libraries

Technical documentation review policies

Improving system performance

Reducing hardware maintenance costs

Minimizing business loss

Compensating for the lack of contingency planning

To ensure there are sufficient dedicated resources in place to facilitate data transfer

To ensure receiving data fields have been configured according to the structure of the transmitted data

To ensure the data is backed up on a regular basis

To ensure access control lists are accurately and completely maintained

are used by similar industries to measure the effect of IT on business strategy.

measure the effectiveness of IT controls in the achievement of IT strategy.

provide quantitative measurement of IT initiatives in relation with business targets,

are expressed in terms of how IT risk impacts the achievement of business goals.

Annual loss expectancy

Maximum tolerable downtime

Data classification scheme

Existing server redundancies

Audit objectives and scope

Required training for audit staff

The process of developing the annual audit plan

The authority given to the audit function

Improved communication with management due to more confidence with data results

Better risk assessments due to the identification of anomalies and trends

Higher-quality audit evidence due to more representative audit sampling

Expedient audit planning due to early identification of problem areas and incomplete data

security parameters are set in accordance with the organizations policies

security parameters are set in accordance with the manufacturer's standards

a detailed business case was formally approved prior to the purchase.

the procurement project invited tenders from at least three different suppliers.

User acceptance testing (UAT) has not been properly documented for all changes.

Data conversion procedures did not include all business applications and interfaces.

The payroll processing application does not follow a regularly scheduled patching cycle.

Changes to the interface configuration settings were not adequately tested and approved.

determining the business functions undertaken by a system or program.

estimating the size of a system development task

estimating the elapsed time of the project

analyzing the functions undertaken by system users as an aid to job redesign

formally records the annual and quarterly audit plans

documents the audit process and reporting standards

describes the auditors' authority to conduct audits

defines the auditors' code of conduct

To comply with legal and regulatory requirements

To provide options to individuals regarding use of their data

To prevent confidential data loss

To identify data at rest and data in transit for encryption

Invest in current technology

Create a technology watch team that evaluates emerging trends.

Make provisions In the budgets for potential upgrades.

Create tactical and strategic IS plans

Patch cycle report

Vulnerability scanning report

Black box testing report

White box testing report

Procedure updates

Migration of data

System manuals

Unit testing

It is difficult To enforce the security policy on personal devices

It is difficult to maintain employee privacy.

IT infrastructure costs will increase.

Help desk employees will require additional training to support devices.

To ensure continuity of processes and procedures

To optimize use of business team resources

To avoid conflicts of interest

To ensure favorable price negotiations

Logs are being collected in a separate protected host.

Access to configuration files is restricted.

Insider attacks are being controlled.

Automated alerts are being sent when a risk is detected.

Built-in data error prevention application controls

Industry standard business definitions

Input from customers

Validation of rules by the business

Discuss with the audit team to understand how conclusions were reached.

Determine whether audit evidence supports audit conclusions.

Escalate the situation to senior audit leadership.

Notify the audit committee of the situation.

Use an emergency ID to move production programs into development.

Request that the help desk make the changes.

Update production source libraries to reflect changes.

Obtain user management approval before implementing the changes.

completeness of user documentation.

integrity of key calculations.

effectiveness of user training.

change requests initiated after go-live.

The testing could create application availability issues.

The testing may identify only known operating system vulnerabilities.

The issues identified during the testing may require significant remediation efforts.

Internal security staff may not be qualified to conduct application penetration testing.

The incident response team did not initiate actions to limit the impact of the incident

Incident response team members' contact details were not up to date.

The root cause of the incident was not properly identified and documented

The incident was caused by an attacker that exploited a zero-day vulnerability.

a security team.

data classification.

training manuals.

data encryption.

Surge protection devices

Alternative power supplies

Power line conditioners

Generators

Misconfiguration and missing updates

Malicious software and spyware

Zero-day vulnerabilities

Security design flaws

Allow more time and test the required sample

Select a judgmental sample

Select a stratified sample

Lower the desired confidence level

Meet with the project sponsor to discuss the incomplete document.

Prepare a finding for the audit report.

Inform audit management of possible risks associated with the deficiency.

Escalate to the project steering committee.

The new functionality may not meet requirements

The added functionality has not been documented

The project may go over budget.

The project may fail to meet the established deadline

copy the contents of the hard drive.

disconnect it from the network.

terminate all active processes

disconnect the power source.

Build in system logic to trigger data deletion at predefined times.

Perform a sample check of current data against the retention schedule.

Review the record retention register regularly to initiate data deletion.

Execute all data deletions at a predefined month during the year.

Classify operations.

Conduct a business impact analysis (BIA)

Develop business continuity training.

Establish a disaster recovery plan (DRP)

Alignment of project performance to pay incentives

Adoption of business case and earned value templates

Use of Gantt charts and work breakdown structures

Measurement against defined and documented procedures

Annual loss expectancy

Maximum tolerable downtime

Data classification scheme

Existing server redundancies

Problem records are prioritized based on the impact of incidents

Some incidents are closed without problem resolution.

Root causes are not adequately identified

Problems are frequently escalated to management for resolution

Establishing an information security operations team

Updating data loss prevention software

Implementing an information security policy

Configuring data encryption software

Background checks

Time reporting

Employee code of ethics

Mandatory time off

No periodic assessments to identify threats and vulnerabilities

No dedicated security officer

No employee awareness training and education program

No official charter for the information security management system

Appoint a business unit representative.

Write test cases from the user requirements.

Trace the changes to requirements back to all affected products.

Set up a configuration control board.

Performance metrics dashboard

Control self-assessments (CSAs)

Regular internal audits

Project management

IT budget

Business impact analysis (BIA)

IT resource plan

Project portfolio

Developing computer-assisted audit techniques (CAATs) during transaction audits

Performing sampling tests on transactions processed at the end of each day

Running continuous auditing scripts at the end of each day

Using supervised machine learning techniques to develop a regression model to predict incorrect input

Alternate between control self-assessment (CSA) and general audits every year.

Have control self-assessments (CSAs) and formal audits of application on alternating years

Implement risk assessment criteria to determine audit priorities

Proceed with the plan and integrate all new applications

Audit logs are not enabled on the server.

The server is outside the domain.

The server's operating system is outdated.

Most suspicious activities were created by system IDs.

Attend project progress meetings to monitor timely implementation of the application.

Assist users in the design of proper acceptance-testing procedures.

Follow up with project sponsor for project's budgets and actual costs.

Review functional design to determine that appropriate controls are planned.

Earned-value analysis (EVA)

Project plan

SWOT analysis

Gantt chart

An organization in which processes are repeatable and results periodically reviewed

An organization m a state of dynamic growth with continuously updated policies and procedures

An organization with established sets of documented standard processes

An organization with processes systematically managed by continuous improvement

Photo IDs

CCTV monitoring

Retina scanner

RFID badge

Pilot implementation

Phased implementation

Direct cutover

Parallel simulation

comply with risk management policies

comply with data classification changes.

react to changes in the IT environment.

utilize IT resources in a cost-effective manner.

Platform as a Service (PaaS).

Software as a Service (SaaS).

Infrastructure as a Service (laaS).

Identity as a Service (IDaaS).

Between virtual local area networks (VLANs)

At borders of network segments with different security levels

Between each host and the local network switch/hub

Inside the demilitarized zone (DMZ)

Containment, analysis, tracking, and recovery

Post-incident assessment

Planning and preparation

Detection, triage, and investigation

prior-year recommendations have become irrelevant

significant changes to the control environment have occurred

identified control weaknesses have been addressed

inherent risks have changed

benefits realization has been evidenced

there are unresolved high-risk items

the project adhered to the budget and target date.

users were involved in the quality assurance (QA) testing.

Perform a risk analysis of the relevant security issues.

Prioritize funding for next year's budget.

Discuss adding compensating controls with the vendor.

Implement stronger security patch management processes.

Understanding the business process

Performing detailed test procedures

Evaluating changes to the risk environment

Determining the scope of the assessment

Human resources (HR) policy on organizational changes

Provisions for cross-training

Succession and promotion plans

Job functions and duties

Device registration

An acceptable use policy

Device baseline configurations

An awareness program

Detective control

Directive control

Preventive control

Corrective control

functional conversion rules

go-live conversion results.

conversion user acceptance testing (UAT) results.

detailed conversion approach templates

Perform additional quality control steps after selecting the samples

Review the query or parameters used to download the data before selecting samples

Obtain access to the quality assurance (QA) system to independently download the information

Request the data owner to verify and approve the information

Requiring long and complex passwords for system access

Implementing a security information and event management (SIEM) system

Requiring internal audit to perform periodic reviews of system access logs

Protecting access to the data center with multif actor authentication

Change requests do not contain backout plans.

There are no documented instructions for using the tool.

Access to the tool is not approved by senior management.

Access to the tool is not restricted.

Inability to obtain customer confidence

Inability to manage access to private or sensitive data

Failure to comply with data-related regulations

Failure to prevent fraudulent transactions

The certificate revocation list has not been updated.

The private key certificate has not been updated.

The PKI policy has not been updated within the last year.

The certificate practice statement has not been published.

Integrity of records

Confidentiality of records

Availability of records

Distribution of records

The formal documentation of the process and how adherence is measured

Whether the existence of preventive controls causes corrective controls to become unnecessary

Whether segregation of duties is in place when two controls are applied simultaneously

The various points in the process where controls are exercised

Number of security incidents

Trending of social engineering test results

Surveys completed by randomly selected employees

Results of a third-party penetration test

Transport Layer Security (TLS)

Secure Shell (SSH)

Point-to-Point Protocol (PPP)

Internet Key Exchange (IKE)

Attribute sampling

Statistical sampling

Judgmental sampling

Stop-or-go sampling